How Secure is Google Docs for Sharing Sensitive Information?

I was wondering if Google Docs is a secure place to store and share private information (with select individuals you choose to share with, of course)? I am curious about this in general, but also asking because I do a lot of remote independent contract work and just made a deal with a new company who wants me to be fill out some new employment forms they have shared with me in Google Docs. Some of the information they ask for are the kind of things you don't want broadcasted over the internet. Thoughts?

Popular White Paper On This Topic

Google Doc is secure place to save and share the information with selected people however those people can download and share the information without you being able to track who has done it.

These days lots of corporates are moving there email infrastructure to cloud (Gmail) and Gmail provide the 100% SLA. So in short it is secure however hackers/spammers these days try to exploit the smallest bug to gain the control of the system/information.

I agree with Hank and Romeo. First invest in some good encryption software. I personally use Symantec PGP. Then encrypt all the PII files that you want to share. You can email the files, put the files in any one of the many clouds that are available and you should be OK. Encryption is a must for sharing files containing PII

They are no more or less safe than any other cloud provider, and the usual risks of "moving to the cloud" apply. You need to give up control in exchange for the convenience, and implicitly trust that they are doing enough to protect your data. I agree with the other posters - if it is info that you would not like to be in the public domain, you need to remove their ability (or anybody elses ability)to access it - which means strong encryption where they don't have the key.

Snowden also said that encryption via things like AES has only been
cracked by the NSA when they have managed to bribe vendors into
tinkering with algorithms and prngs. So if you encrypt via a non-bribed
provider's technology, you are safe.

"Encryption works. Properly implemented strong crypto systems are one of
the few things that you can rely on. Unfortunately, endpoint security is
so terrifically weak that NSA can frequently find ways around it."

So encryption works, but the info has to be in plaintext somewhere to be
useful, and that somewhere is porous in popular systems.

We need really isolated ID-PKI spaces where we can safely handle
unencrypted information.

Why would anyone think that storing anything in "The Cloud" would be safe from prying eyes; NSA or private? There may not be any encryption scheme that is safe from the NSA. But, if you want to attempt to retain control over your own privacy then encrypt your documents before you move them to any external service. PGP would be a good start: http://en.wikipedia.org/wiki/Pretty_Good_Privacy. Encrypt them with your correspondent's public key.

Just because you are not paranoid, doesn't mean that you are not being stalked.

Yes, the source CAN be read. But how can you be sure this particular source is checked/read for backdoors? Do not overestimate the openness of source. And even 100 people read the source how many of them will see the backdoor?

Adding to Romeo's points, wouldn't access to the source make it easier to find ways of introducing a vulnerability that's extremely difficult to spot that you can later exploit? And give you the ability to compile and thoroughly test it?
We know OSS companies have been breached in the past, and there are many authorized people (all potentially bribable) with access to the source trees. The question you need to be asking (instead of clinging to the totally busted "more eyes equals better security" myth) is what controls are in place to detect changes in the source, and how far back do you need to go? (the GnuTLS bug was introduced over a decade ago, and there were X.11 bugs found recently that were 22 years old!)

Ah, no. Read access to the source isn't the same as write access. That's why there is a review process for changes. So while it's possible to subvert the process with a plant (a 'volunteer' working against security within the project) that's no different than in the case of closed source software development - except there are fewer people in the review process with closed source. This also points out the need to occasionally review the full code - like during major revisions.

Closed source software has had similar occurrences with the same bad press. In any case, too many people confuse 'better' with 'perfect'. We could throw up our hands and toss the entire model, but it might be more helpful to ask 'what would be better?'

>> that's no different than in the case of closed source software development - except there are fewer people in the review process with closed source

I'm not suggesting that it is any different - in fact I am arguing that it ISN"T any different and OSS isn't inherently more secure simply because people can see the source.

I also think there is a big difference between the number of "potential" reviewers and the number of "actual" reviewers. OSS obviously has many more potential reviewers, but I think the number of actual reviewers is similar in both models. This is basically the "many eyes" myth, that is busted time and time again

Personally, I agree that these forms can be shared online in their dormant and non-completed state. But once these forms are active (ie you are filling them out), consider emailing them directly to the sender, ideally in encrypted format. Like anything hosted online, there is always a risk of sensitive information being exposed or improperly accessed. It's better to err on the side of caution than to take the risk.